From e84c968ed21764fd8859d369c2aa50bd10ef0937 Mon Sep 17 00:00:00 2001 From: Noboru Iwamatsu Date: Thu, 6 Feb 2020 18:26:21 +0900 Subject: [PATCH] Adapt to Octavia Certificate Configuration Guide. This patch updates the octavia controller deployment to use the latest octavia certificate configuration guide [1]. The dual CA changes were introduced in Train. [1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html Change-Id: If89ec0d631568db70690f1a69d00115c59abe678 Closes-Bug: #1862133 --- ansible/roles/octavia/tasks/config.yml | 21 +++++++++++-------- ansible/roles/octavia/tasks/precheck.yml | 14 ++++++++++--- .../templates/octavia-health-manager.json.j2 | 18 ++++++++++------ .../templates/octavia-housekeeping.json.j2 | 18 ++++++++++------ .../octavia/templates/octavia-worker.json.j2 | 18 ++++++++++------ .../roles/octavia/templates/octavia.conf.j2 | 9 ++++---- ...-octavia-cert-config-28f0ef2799406957.yaml | 14 +++++++++++++ 7 files changed, 78 insertions(+), 34 deletions(-) create mode 100644 releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml index a60991d808..fc480d5b86 100644 --- a/ansible/roles/octavia/tasks/config.yml +++ b/ansible/roles/octavia/tasks/config.yml @@ -94,9 +94,10 @@ - inventory_hostname in groups[service.group] - service.enabled | bool with_items: - - cakey.pem - - ca_01.pem - - client.pem + - client.cert-and-key.pem + - client_ca.cert.pem + - server_ca.cert.pem + - server_ca.key.pem notify: - Restart octavia-worker container @@ -112,9 +113,10 @@ - inventory_hostname in groups[service.group] - service.enabled | bool with_items: - - cakey.pem - - ca_01.pem - - client.pem + - client.cert-and-key.pem + - client_ca.cert.pem + - server_ca.cert.pem + - server_ca.key.pem notify: - Restart octavia-housekeeping container @@ -130,9 +132,10 @@ - inventory_hostname in groups[service.group] - service.enabled | bool with_items: - - cakey.pem - - ca_01.pem - - client.pem + - client.cert-and-key.pem + - client_ca.cert.pem + - server_ca.cert.pem + - server_ca.key.pem notify: - Restart octavia-health-manager container diff --git a/ansible/roles/octavia/tasks/precheck.yml b/ansible/roles/octavia/tasks/precheck.yml index 6e00c29b02..38a692c184 100644 --- a/ansible/roles/octavia/tasks/precheck.yml +++ b/ansible/roles/octavia/tasks/precheck.yml @@ -35,6 +35,13 @@ - container_facts['octavia_health_manager'] is not defined - inventory_hostname in groups['octavia-health-manager'] +- name: Warn about certificate changes + debug: + msg: >- + Octavia's certificate configuration has been changed since Train. The new + configuration requires 4 PEM files. Please check certificate configuration + guide at https://docs.openstack.org/octavia/latest/admin/guides/certificates.html + - name: Checking certificate files exist for octavia stat: path: "{{ node_custom_config }}/octavia/{{ item }}" @@ -44,6 +51,7 @@ failed_when: not result.stat.exists when: inventory_hostname in groups['octavia-worker'] with_items: - - cakey.pem - - ca_01.pem - - client.pem + - client.cert-and-key.pem + - client_ca.cert.pem + - server_ca.cert.pem + - server_ca.key.pem diff --git a/ansible/roles/octavia/templates/octavia-health-manager.json.j2 b/ansible/roles/octavia/templates/octavia-health-manager.json.j2 index 51d83f40af..e70ddb9491 100644 --- a/ansible/roles/octavia/templates/octavia-health-manager.json.j2 +++ b/ansible/roles/octavia/templates/octavia-health-manager.json.j2 @@ -8,20 +8,26 @@ "perm": "0600" }, { - "source": "{{ container_config_directory }}/cakey.pem", - "dest": "/etc/octavia/certs/private/cakey.pem", + "source": "{{ container_config_directory }}/client.cert-and-key.pem", + "dest": "/etc/octavia/certs/client.cert-and-key.pem", "owner": "octavia", "perm": "0600" }, { - "source": "{{ container_config_directory }}/ca_01.pem", - "dest": "/etc/octavia/certs/ca_01.pem", + "source": "{{ container_config_directory }}/client_ca.cert.pem", + "dest": "/etc/octavia/certs/client_ca.cert.pem", "owner": "octavia", "perm": "0600" }, { - "source": "{{ container_config_directory }}/client.pem", - "dest": "/etc/octavia/certs/client.pem", + "source": "{{ container_config_directory }}/server_ca.cert.pem", + "dest": "/etc/octavia/certs/server_ca.cert.pem", + "owner": "octavia", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/server_ca.key.pem", + "dest": "/etc/octavia/certs/server_ca.key.pem", "owner": "octavia", "perm": "0600" } diff --git a/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 b/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 index 16731e271e..88580ae1a9 100644 --- a/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 +++ b/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 @@ -8,20 +8,26 @@ "perm": "0600" }, { - "source": "{{ container_config_directory }}/cakey.pem", - "dest": "/etc/octavia/certs/private/cakey.pem", + "source": "{{ container_config_directory }}/client.cert-and-key.pem", + "dest": "/etc/octavia/certs/client.cert-and-key.pem", "owner": "octavia", "perm": "0600" }, { - "source": "{{ container_config_directory }}/ca_01.pem", - "dest": "/etc/octavia/certs/ca_01.pem", + "source": "{{ container_config_directory }}/client_ca.cert.pem", + "dest": "/etc/octavia/certs/client_ca.cert.pem", "owner": "octavia", "perm": "0600" }, { - "source": "{{ container_config_directory }}/client.pem", - "dest": "/etc/octavia/certs/client.pem", + "source": "{{ container_config_directory }}/server_ca.cert.pem", + "dest": "/etc/octavia/certs/server_ca.cert.pem", + "owner": "octavia", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/server_ca.key.pem", + "dest": "/etc/octavia/certs/server_ca.key.pem", "owner": "octavia", "perm": "0600" } diff --git a/ansible/roles/octavia/templates/octavia-worker.json.j2 b/ansible/roles/octavia/templates/octavia-worker.json.j2 index 042349b84f..6220916734 100644 --- a/ansible/roles/octavia/templates/octavia-worker.json.j2 +++ b/ansible/roles/octavia/templates/octavia-worker.json.j2 @@ -8,20 +8,26 @@ "perm": "0600" }, { - "source": "{{ container_config_directory }}/cakey.pem", - "dest": "/etc/octavia/certs/private/cakey.pem", + "source": "{{ container_config_directory }}/client.cert-and-key.pem", + "dest": "/etc/octavia/certs/client.cert-and-key.pem", "owner": "octavia", "perm": "0600" }, { - "source": "{{ container_config_directory }}/ca_01.pem", - "dest": "/etc/octavia/certs/ca_01.pem", + "source": "{{ container_config_directory }}/client_ca.cert.pem", + "dest": "/etc/octavia/certs/client_ca.cert.pem", "owner": "octavia", "perm": "0600" }, { - "source": "{{ container_config_directory }}/client.pem", - "dest": "/etc/octavia/certs/client.pem", + "source": "{{ container_config_directory }}/server_ca.cert.pem", + "dest": "/etc/octavia/certs/server_ca.cert.pem", + "owner": "octavia", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/server_ca.key.pem", + "dest": "/etc/octavia/certs/server_ca.key.pem", "owner": "octavia", "perm": "0600" } diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2 index b6bd7b21a8..d44e0e02df 100644 --- a/ansible/roles/octavia/templates/octavia.conf.j2 +++ b/ansible/roles/octavia/templates/octavia.conf.j2 @@ -11,15 +11,15 @@ bind_port = {{ octavia_api_listen_port }} [certificates] ca_private_key_passphrase = {{ octavia_ca_password }} -ca_private_key = /etc/octavia/certs/private/cakey.pem -ca_certificate = /etc/octavia/certs/ca_01.pem +ca_private_key = /etc/octavia/certs/server_ca.key.pem +ca_certificate = /etc/octavia/certs/server_ca.cert.pem {% if enable_barbican | bool %} region_name = {{ openstack_region_name }} {% endif %} [haproxy_amphora] -server_ca = /etc/octavia/certs/ca_01.pem -client_cert = /etc/octavia/certs/client.pem +server_ca = /etc/octavia/certs/server_ca.cert.pem +client_cert = /etc/octavia/certs/client.cert-and-key.pem [database] connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }} @@ -66,6 +66,7 @@ amp_image_tag = amphora amp_secgroup_list = {{ octavia_amp_secgroup_list }} amp_flavor_id = {{ octavia_amp_flavor_id }} amp_ssh_key_name = octavia_ssh_key +client_ca = /etc/octavia/certs/client_ca.cert.pem network_driver = allowed_address_pairs_driver compute_driver = compute_nova_driver amphora_driver = amphora_haproxy_rest_driver diff --git a/releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml b/releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml new file mode 100644 index 0000000000..ec060e119b --- /dev/null +++ b/releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml @@ -0,0 +1,14 @@ +--- +fixes: + - | + Adapt Octavia to the latest dual CA certificate configuration. The + following files should exist in ``/etc/kolla/config/octavia/``: + + * ``client.cert-and-key.pem`` + * ``client_ca.cert.pem`` + * ``server_ca.cert.pem`` + * ``server_ca.key.pem`` + + See the `Octavia documentation + `__ + for details on generating these files.